Platypus Hack Analysis
Published in
2 min readAug 3, 2023
Overview:
On July 12, 2023, Platypus suffered an attack on the Ethereum chain, due to a business logic issue leading to a loss of ~51K USD.
Smart Contract Hack Overview:
- Attackers address: 0xc64afc
- Attack Contract: 0x16a3c9
- Vulnerable Contract: 0x7e1333
- Attack Transaction: 0x4b544e
Decoding the Smart Contract Vulnerability:
- The main cause of the problem lies in the calculation of liquidity conversion for LP-USDC, which is flawed.
- When exchanging USDC for USDC.e, the calculation for determining the quantity of USDC.e becomes unreasonably large.
- Within the
_deposit
function, callingasset.addLiability()
contributes to an increase in theasset.liability()
parameter. - As a consequence, during the withdrawFrom process, the hacker is able to withdraw a greater amount of USDC.e than what was initially deposited as USDC.
Mitigation and Best Practices:
- Always validate your code by writing comprehensive test cases that cover all the possible business logic.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan.
Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord